feat: add OpenVPN parser and bruteforce scenario

Author: PrOOnOOb

parsers/s01-parse/proonoob/openvpn.yaml

@@ -0,0 +1,35 @@
+filter: "evt.Line.Labels.type == 'openvpn'"
+onsuccess: next_stage
+name: proonoob/openvpn
+description: "Parse OpenVPN logs (supports both syslog and ISO8601 timestamp formats)"
+pattern_syntax:
+    OPENVPN_TLS_CRYPT: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{NOTSPACE}: TLS Error: tls-crypt unwrapping failed from \\[AF_INET\\]%{IPV4:source_ip}:%{INT:sport}"
+    OPENVPN_AUTH_FAILED: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{NOTSPACE}: AUTH: Received control message: AUTH_FAILED.*\\[AF_INET\\]%{IPV4:source_ip}:%{INT:sport}"
+    OPENVPN_TLS_HANDSHAKE: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{NOTSPACE}: TLS Error: TLS handshake failed"
+    OPENVPN_VERIFY_ERROR: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{NOTSPACE}: VERIFY ERROR"
+    OPENVPN_CATCHALL: "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA}"
+nodes:
+  - grok:
+      name: "OPENVPN_TLS_CRYPT"
+      apply_on: message
+  - grok:
+      name: "OPENVPN_AUTH_FAILED"
+      apply_on: message
+  - grok:
+      name: "OPENVPN_TLS_HANDSHAKE"
+      apply_on: message
+  - grok:
+      name: "OPENVPN_VERIFY_ERROR"
+      apply_on: message
+  - grok:
+      name: "OPENVPN_CATCHALL"
+      apply_on: message
+statics:
+  - meta: service
+    value: openvpn
+  - meta: source_ip
+    expression: "evt.Parsed.source_ip"
+  - meta: log_type
+    value: auth_failed
+  - target: evt.StrTime
+    expression: "evt.Parsed.timestamp"

scenarios/proonoob/openvpn-bf.yaml

@@ -0,0 +1,12 @@
+type: leaky
+name: proonoob/openvpn-bf
+description: "Detect OpenVPN probing and bruteforce attempts via TLS errors"
+filter: "evt.Meta.service == 'openvpn' && evt.Meta.log_type == 'auth_failed'"
+groupby: "evt.Meta.source_ip"
+capacity: 2
+leakspeed: "5m"
+blackhole: "1m"
+labels:
+  service: openvpn
+  type: bruteforce
+  remediation: true